Proposed FFIEC Guidance on Financial Institution Social Media Use

The Federal Financial Institutions Examination Council (FFIEC) released for comment on January 17 its proposed Social Media: Consumer Compliance Risk Management Guidance. There is a 60-day comment period. The purpose of the guidance is to help banks, savings associations, credit unions, and non-bank entities supervised by the Consumer Financial Protection Bureau (CFPB) understand and address the risks created by the applicability of federal consumer protection and compliance laws to activities conducted through social media.

The guidance begins with the premise that a financial institution’s use of social media to interact with customers can impact the institution’s risk profile, not only through legal and compliance risks, but also related risks of harm to operations and reputation. To address these risks, the FFIEC recommends that financial institutions adopt a risk management program to identify, monitor, and control the risks associated with its use of social media. The complexity of the program should be commensurate with the risks created by the nature and scope of the institution’s use of social media. The guidance identified seven components that the social media risk management program should contain: (1) a governance structure; (2) policies and procedures; (3) a vetting and management process for vendors; (4) employee training; (5) monitoring of posts to proprietary social media sites; (6) audit/compliance functions to ensure ongoing compliance; and (7) parameters for reporting on the effectiveness of the program to management.

The guidance then discusses in greater detail the risks created by social media use. Under the compliance and legal risk section, there is a summary of laws and regulations that may apply when a financial institution uses social media. The laws discussed include Truth in Savings, Fair Lending, Fair Housing, Truth in Lending, RESPA, FDCPA, UDAAP, EFTA, BSA/AML, and privacy (GLBA, COPPA, TCPA, CAN-SPAM). Under the discussion of reputational risk, there is a recommendation that financial institutions adopt policies to address employee participation in social media, which has employment law implications based on recent NLRB decisions. The operational risk discussion is brief and essentially says that institutions should safeguard customer data, especially because social media is vulnerable to account takeover and the distribution of malware. Accordingly, the guidance recommends that an institution’s incident response policy address social media as appropriate.

The FFIEC is specifically seeking comments by March 18 on the following questions:

1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?

2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?

3. Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?